2/25/2019

1

The Rise of Nation State Counterintelligence and Cyber

Threats

SSA Darren Mott

Birmingham Division

RISK = Threats x Vulnerability

1

2

2/25/2019

2

The Evolution of the Cyber Threat

Late 80s-Mid 90s – Nuisance attacks and online-enabled fraud

Mid 90s – Early 2000s – Mischievous intrusions and the rise of botnets and Denial of Service Attacks

Mid to late 2000s – Beginning of nation state attacks and the explosion of data and financial theft.

2010 to current – Hybrid attacks, nation-state backed attacks/economic espionage, targeting of non-traditional computers.

4

In 2018 What are the Cyber Threats?

3

4

2/25/2019

3

Current Examples of Threat Complexity

High Profile Intrusions

• Historical Data Breaches

5

6

2/25/2019

4

High Profile Intrusions

2018 CyberSecurity Stats• IoT attacks up 600% over 2017

• Ransomware up 350% annually

• Microsoft Office products make up 38% of malicious file extensions.

• 61% of breach victims are companies with less than 1000 employees

• Average cost of malware attack for a business is $2.4 million

• Damage related to cybercrime is projected to hit $6 Trillion by 2021.

• Source: Varonis @ https://blog.varonis.com/cybersecurity-statistics/

7

8

2/25/2019

5

What are hackers looking for?

Criminal Hackers• Personal Information

• Passwords

• Usernames

• Email addresses

• Social Media Accounts

Intelligence Services• Personal Information

• Passwords

• Usernames

• Email addresses

• Social Media Accounts

• Vulnerabilities to Exploit

• Networks to “persist” in

• Cyber tradecraft enables traditional crimes:• Financial Theft• Child Pornography• Drug Trafficking• Extortion (Ransomware)

•Business Email Compromise

• Phishing/Whaling• Domestic Abuse

1010

Criminal Cyber Threats

9

10

2/25/2019

6

Nation State CI/Cyber Threats• Nation states utilize cyber tradecraft to engage

in the following activity:• Espionage• PII Theft

• Theft of economic/proprietary information

• Reconnaissance• Asset Development• Proliferation• Warfare planning• Academic Research

• Targeting of all Public and Private sector companies

• US Technological Advantage is shrinking

11

Trivia Question:

• Who was the first true American spy?

• A) Nathan Hale

• B) Benedict Arnold

• C) Benjamin Church

11

12

2/25/2019

7

Dr. Benjamin Church• “Chief Physician and Director General” of the Medical Service of the Continental Army

• Member of Boston’s Sons of Liberty

• Motive: Deeply in debt

• Tradecraft used:• Cipher letter (in code)• Cutouts

• Arrested in October 1775• Supplying information to British as early as February 1775.  • Battles of Lexington and Concord were April 19, 1775

Espionage is all‐encompassing

• In the 1980s a KGB spy was recorded telling a Cuban counterpart that the USSR only needed three generals to defect to win the cold war.

• General Electric• General Motors• General Dynamics

13

14

2/25/2019

8

15

16

2/25/2019

9

Lockheed Martin F‐35B Lightning II 

Shenyang J‐31

17

18

2/25/2019

10

Northrop Grumman X‐47B 

Unmanned Combat Air 

Vehicle (UCAV)

Chinese LijianSharp Sword 

UCAV

19

20

2/25/2019

11

21

22

2/25/2019

12

Northrop Grumman MQ‐8 Fire Scout unmanned helo

Chinese SVU‐200 Flying Tiger unmanned helo

23

24

2/25/2019

13

General Atomics MQ‐1 Predator UAV

Chengdu Wing Loong “Pterodactyl” 

UAV

25

26

2/25/2019

14

Anatomy of an Intrusion

28

27

28

2/25/2019

15

2/25/2019

So Where are we headed?

• The Private Sector, Academia, and the FBI need to be prepared for the following risk vectors:• The rise of mobile devices as the primary computer platform of choice• The rise of the Internet of Things and their vulnerabilities• Advances in encryption• Targeting of vulnerable sectors• Use of HUMINT tradecraft to enable cyber tradecraft and vice versa• The lack of advance in human nature

29

30

2/25/2019

16

Concerns and Risks for all Sectors

• Business Email Compromise

• Criminal actors will target vulnerable and previously untargeted sectors.

• Foreign Intelligence Services are becoming a greater threat than criminal organizations.• Advanced Persistent Threats• Cozy Bear/Fancy Bear• Pick a country…….

• Most intrusion STILL begin with a spearphishing email.

The Future

Artificial Intelligence

Self-Driving Cars

Embedded Medical Devices

BlockChain Technology

Technology to be named later!

31

32

2/25/2019

17

Points to Note

• Data Breaches are not slowing down (neither is spending on cybersecurity).

• Nobody expects to be a victim.

• If you call us it's too late, if we call you it’s very bad.

• Identify your crown jewels and protect them!

• Think of your employees your first line of defense. Educate them!

• 90 percent of Intrusions start with a spear phished email.

• Nation state actors are hiding their activity among more easily recognized criminal cyber activity.

Protection from Risks

• Multi-factor authentication• https://twofactorauth.org/

• Use a VPN (especially when traveling)

• Companies should invest in development and deployment of Risk Management Frameworks, Threat Analysis, and enhanced employee education. (NIST, COBIT 5, ISO 27001)

33

34

2/25/2019

18

Basic Cybersecurity Principles

• Think before you click/act

• Separate passwords for business critical accounts. Specifically use a random string of words for your passwords.

• Patch and update software and Operating Systems

• Backup everything

• Every organization needs to have a plan, not just IT security but a counterintelligence plan.

36

Legal Banner/Computer Use Agreement

Network Topography Maps

List of Network Devices

Incident Logs (security, host, IDS, web, database)

Archived Network Traffic

Proper Access Control

Business Continuity Planning

Disaster Recovery Procedures

Security/responsibility training for employees

Maintain regular backups of sensitive data

Create an emergency response protocol for incidents

Contract with a reputable company for incident response

Develop a working relationship with law enforcement before incidents occur.

Incident Preparedness

35

36

2/25/2019

19

Social Networks, aka Web 2.0

WEB 2.0 Stats• The number of internet users worldwide in 2018 is 4.021 billion, up 7 percent year-on-year

• The number of social media users worldwide in 2018 is 3.196 billion, up 13 percent year-on-year

• The number of mobile phone users in 2018 is 5.135 billion, up 4 percent year-on-year

• THIS IS A LOT OF TARGETS!

Source: https://www.smartinsights.com/social-media-marketing/social-media-strategy/new-global-social-media-research/

37

38

2/25/2019

20

Ideal Exploitation Platform

• • Social networks have intrinsic properties that make them ideal to be exploited by an adversary:

• Difficult to police: very large and distributed user base • Trust network: clusters of users sharing the same social interests

developing trust with each other • Platform openness for developing applications that are attractive the

general users who will install them• Foreign Intelligence Services are mining these networks for information

Social Networking = Data Leakage

• The SN value proposition is information sharing• Unfortunately we give out too much information• Information can be obtained by simple searching

• Facebook• Information is not always reserved for friends• Family members can be source of data leakage• Applications are attack vectors

• Twitter• Followers = Huge pool of victims• Limited policing

• Linkedin• Are all your “Links” secured?

39

40

2/25/2019

21

As an example

• “It took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!) the second was somewhat harder, the question was “where did you meet your spouse?”

WAY Too Much Information (or compromised account)

41

42

2/25/2019

22

WARNING

Questions?

SSA Darren J. MottDjmott@fbi.gov256-885-3680www.Linkedin.com/in/darrenmott

Thank You

43

44